Browse Source

rand: detect if FIPS approved randomness sources are being used.

This boils down to the operating system sources and RDRAND.
All other sources are not available in the FIPS module.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12325)
master
Pauli 2 years ago
parent
commit
45554b5c71
1 changed files with 33 additions and 1 deletions
  1. +33
    -1
      providers/implementations/rands/seeding/rand_unix.c

+ 33
- 1
providers/implementations/rands/seeding/rand_unix.c View File

@ -37,6 +37,36 @@
# include <sys/param.h>
#endif
/*
* Provide a compile time error if the FIPS module is being built and none
* of the supported entropy sources are available.
*/
#if defined(FIPS_MODULE)
# if !defined(OPENSSL_RAND_SEED_GETRANDOM) \
&& !defined(OPENSSL_RAND_SEED_DEVRANDOM) \
&& !defined(OPENSSL_RAND_SEED_RDCPU) \
&& !defined(OPENSSL_RAND_SEED_OS)
# error FIPS mode without supported randomness source
# endif
/* Remove the sources that are not permitted in FIPS */
# ifdef OPENSSL_RAND_SEED_LIBRANDOM
# undef OPENSSL_RAND_SEED_LIBRANDOM
# warning FIPS mode does not support the _librandom_ randomness source
# endif
# ifdef OPENSSL_RAND_SEED_RDTSC
# undef OPENSSL_RAND_SEED_RDTSC
# warning FIPS mode does not support the _RDTSC_ randomness source
# endif
# ifdef OPENSSL_RAND_SEED_EGD
# undef OPENSSL_RAND_SEED_EGD
# warning FIPS mode does not support the _EGD_ randomness source
# endif
# ifdef OPENSSL_RAND_SEED_NONE
# undef OPENSSL_RAND_SEED_NONE
# warning FIPS mode does not support the _none_ randomness source
# endif
#endif
#if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \
|| defined(__DJGPP__)
# include <sys/types.h>
@ -609,7 +639,9 @@ size_t prov_pool_acquire_entropy(RAND_POOL *pool)
# if defined(OPENSSL_RAND_SEED_NONE)
return rand_pool_entropy_available(pool);
# else
size_t entropy_available;
size_t entropy_available = 0;
(void)entropy_available; /* avoid compiler warning */
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
{


Loading…
Cancel
Save